e-Security | Vol: 36-12014 © CyberSecurity Malaysia 2014 - All Rights Reserved 10 A.12 Operations security, A.13 Communications security A.14 System Acquisition, development and maintenance, A.15 Supplier relationships, A.16 Information security incident management, A.17 Information security aspects of business continuity, and A.18 Compliance. Refer to Figure 1 for the overall view of the new ISMS requirements and information security controls in ISO IEC 27001:2013. Figure 1: Requirements and information security controls in ISOIEC 27001:2013 And lastly, the contents of standard has been revised and improved overall in the hope that it is better understood by organisations. For example, in ISO IEC 27001:2005 version, the topics for conducting ISMS review were scattered in various clauses, but in this new standard, the topics were grouped together under Clause 9 Performance Evaluation. 3. How to migrate to the new ISOIEC 27001:2013? Firstly, organisations are recommended to send their relevant personnel for training sessions. Personnel who are in charge of ISMS should attend relevant training sessions to have a better understanding of these new requirements in ISOIEC 27001:2013. Examples of the relevant training programmes are Introduction to ISO IEC 27001:2013 and Migration to ISO IEC 27001:2013. Next, organisations which have implemented ISOIEC 27001:2005 are advised to conduct a thorough gap analysis. This is due to several requirements and controls that have been added, reviewed or deleted in the revised ISOIEC 27002:2013. By conducting a thorough gap analysis, the organisation will be able to assess the gap between the current implemented ISMS and the new ISOIEC 27001; and understand additional actions that are needed to be taken to comply with the new ISOIEC 27001. They will also be able to develop a detailed plan with timeline for the ISOIEC 27001:2013 migration. Furthermore, organisations should review their current documents; as most probably they need to change and update their documents to suit to ISO IEC 27001:2013. One document that must be updated is the Statement of Applicability SOA. An SOA is a document describing the control objectives and controls that are relevant and applicable to the organisations ISMS. SOA lists all information security controls that organisations have implemented and should be implementing. If there are new information security controls from ISOIEC 27002:2013 that should be implemented, the SOA should be updated to reflect this change. Furthermore, there are also a possibility for organisations to develop new policy e-Security | Vol: 36-12014 © CyberSecurity Malaysia 2014 - All Rights Reserved 11 and procedure with regards to the new ISOIEC 27001. Finally, the necessity to conduct adequate awareness briefings to all relevant employees and external. The purpose is to educate employees on the changes and brief them on their additional roles and responsibilities if any. Awareness to external parties should involve vendors and contractors.

4. What are guidelines that can help to migrate to ISOIEC

27001:2013? There is a document called Standing Document 3 SD3, which was produced by the Working Group 1 WG1 of Subcommittee 27 SC27 that can provide guidelines to organisations intending to migrate to ISOIEC 27001:2013. The purpose of SD3 is to show the corresponding relationship between the 2005 versions of ISOIEC 27001 and ISOIEC 27002 and the 2013 versions of ISOIEC 27001 and ISOIEC 27002. This SD3 document contains three tables: • Table A: Comparison between ISOIEC 27001:2013 and ISOIEC 27001:2005 • Table B: Comparison between ISOIEC 27002:2005 and ISOIEC 27002:2013 • Table C: Comparison between ISOIEC 27002:2013 and ISOIEC 27002:2005 The SD3 document is freely downloadable. Please refer to this URL http:www. j t c 1 s c 2 7 . d i n . d e s i x c m s _ u p l o a d media3031SD3.pdf. Organisations should be able to refer to these tables when trying to better understand the requirements and controls in the revised ISOIEC 27001:2013.

5. When is the deadline to migrate to ISOIEC

27001:2013? Organisations which are currently certified with ISOIEC 27001:2005 should not be worried as they will not need to migrate to the new ISOIEC 27001:2013 immediately. There will be a transition period for migration to ISO IEC 27001:2013 so that all tasks will be done in an orderly manner. According to International Accreditation Forum IAF 27th General Assembly held in Seoul on 25 October 2013, a two year period from 1 October 2013 which is the date of ISOIEC 27001:2013 publication is allowed for migration to ISOIEC 27001:2013 source : IAF Resolution 2013-13 – Endorsing a Normative Document. This means the last date for organisations to comply with ISOIEC 27001:2013 is on 30 September 2015. Conclusion Organisations are advised to start their ISOIEC 27001:2013 migration activities now and not wait until the last minute. Organisations are also advised to work closely with their certification body CB in order to ensure a smooth migration to ISOIEC 27001:2013. Guidance provided in this article can be used as reference. By ensuring continuous compliance to ISOIEC 27001, it is hoped that organisations will be able to continue managing information security in their organisations efficiently and effectively ￭